MAY 4, 2012 | BY REBECCA BOWE,
In India, a massive effort is underway to collect biometric identity information for each of the country’s 1.2 billion people. The incredible plan, dubbed the “mother of all e-governance projects” by the Economic Times, has stirred controversy in India and beyond, raising serious concerns about the privacy and security of individuals’ personal data.

The plan is moving ahead at a clip under the auspices of the National Population Register (NPR) and the Unique ID (UID) programs, separately governed initiatives that have an agreement to integrate the data they collect to build the world’s largest biometric database. Upon enrollment, individuals are issued 12-digit unique ID numbers on chip-based identity cards. For residents who lack the necessary paperwork to obtain certain kinds of employment or government services, there’s strong incentive to get a unique ID. While the UID program is voluntary, enrollment in the NPR program is mandatory for all citizens.

The NPR program’s stated objectives are to streamline the delivery of government services such as welfare or subsidies, prevent identity fraud, and facilitate economic development, but some critics contend that the plan has its roots in an agenda focused on national security. Indian journalist Aman Sethi argues in a New York Times Op-Ed that the NPR originated with a 1992 government campaign to deport undocumented Bangladeshi immigrants, and that the creation of a comprehensive identity database was intended “exclusively to assist law enforcement.” And while UID was originally created to target India’s poorest 200 million citizens to facilitate service delivery, it has since been expanded to cover the country’s entire population.

The UID program is administered by the Unique Identity Authority of India (UIDAI), an executive body created to oversee the issuance of unique ID numbers for the stated purpose of facilitating access to benefits and services. At the helm of UID is Nandan Nilekani, a billionaire who made his fortune in the tech industry before ascending to his current role as chairman of the UIDAI.

While the NPR program has been moving ahead since 2004 with a relatively low level of public opposition, the more recently introduced UID project has sparked controversy. UID took center stage during a political feud last December when Parliament’s Standing Committee on Finance rejected a bill establishing the National Identification Authority of India, which would have granted the UID program statutory mandate. Although the bill was submitted in 2010, the UIDAI had already begun processing individuals and issuing numbers pending Parliamentary approval of the legislation, operating under the authority of the executive branch. The committee rejected the reasoning that they had the authority to do so, calling the program’s legality into question.

In late January, a compromise deal was struck between the NPR and the UID program administrators following a political turf war, when officials announced “the NPR and UID projects would proceed side by side to ensure that all Indian citizens have a unique number by June 2013.” Project administrators from UIDAI and India’s Ministry of Home Affairs, which oversees the Indian Census and the NPR program, announced that they would collaborate to de-duplicate the data to eliminate overlap for integration purposes.

To date, some 170 million individuals have been registered in the UID program. To perform the data collection, the UIDAI has executed Memoranda of Understanding (MOU) with partners — including states, union territories and 25 financial institutions — to act as registrars for implementing the scheme, according to a Parliamentary committee report.

The registrars, in turn, contract with tech firms such as Wipro, a company that has issued at least 6 million UID numbers in Maharashtra. Agents gather the data by going from village to village to set up processing camps, toting laptops and scanning equipment along with them and scrambling to process as many individuals as possible each day. In addition to demographic information, individuals’ biometric information is collected with iris scanners, fingerprint scanners, and face cameras that employ facial recognition technology. Morpho, a technology company, is a primary UID contractor that develops and maintains systems to crosscheck new applications by sifting through the biometrics database and prevent actual or fraudulent duplication.

The UID program is known as Aadhar, which also refers to the unique 12-digit number citizens are issued upon enrollment. According to recent news reports, a pilot program will link Aadhar with financial and banking services in 50 districts in a move that the UIDAI program director says will “change the financial landscape of the country.”

Nilekani has championed the UID program as a tool that can aid low-income sectors of India’s population by streamlining the delivery of public services and creating a system that is more inclusive to the poor. Yet R. Ramakumar of the Tata Institute of Social Sciences in Mumbai pushes back against this point in an op-ed in The Hindu, charging, “the UID would be an alibi for the state to leave the citizen unmarked in the market for social services.”

And if the interviews with Delhi’s poorest residents in this report is any indication, there’s also a danger that some marginalized individuals could slip through the cracks altogether.

An issue of greater concern, however, is that the biometric database could open the door to significant violations of personal privacy. The Aadhar system became mired in controversy last December surrounding the Parliamentary Standing Committee on Finance’s rejection of legislation that would have given it statutory mandate. In a report, lawmakers based their disapproval on concerns about security, data theft and the fact that that a national data protection law has yet to be enacted.

“The collection of biometric information and its linkage with personal information of individuals without statutory amendment appears to be beyond the scope of subordinate legislation,” committee members wrote.

They also seized on the risk, uncertainty, and potential for privacy violations that would be ushered in under the massive scheme:

“Considering the huge database size and possibility of misuse of information, enactment of a national data protection law, which is at a draft stage, is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate database…The committee is afraid that the scheme may wind up being dependent on private agencies…”

Despite these concerns, the UID program continues, while at the same time, biometric data collection for the NPR moves ahead on a separate track. Mandatory registration for all citizens in the NPR went into effect with the 2004 amendment of the Citizenship Act, providing that“the Central Government may compulsorily register every citizen of India and issue National Identity Card[s].”

Civil Society Responds

The Center for Internet and Society (CIS) has criticized the system due to design flaws that pose security and privacy concerns.

“We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a ‘billions-of-users scale on the Internet with reasonable security,” CIS Director Sunil Abraham noted in a Business Standard op-ed. “The UID project based on the so-called ‘infallibility of biometrics’ is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

“Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera.” (For more detailed information on CIS’s work on India’s UID program, see here, here, here, here, here, and here.

Delhi-based NGOs have also condemned UID as an affront to civil liberties that violates citizens’ basic constitutional right to privacy.

In his Op-Ed, Ramakumar echoes Indian economist Amartya Sen in arguing that the system could open the door to abuse by law enforcement:

“There is a related concern: police and security forces, if allowed access to the biometric database, could extensively use it for regular surveillance and investigative purposes, leading to a number of human rights violations. As Amartya Sen has argued elsewhere, forced disclosure and loss of privacy always entailed ‘the social costs of the associated programs of investigation and policing.’ According to him, ‘some of these investigations can be particularly nasty, treating each applicant as a potential criminal.’”

Meanwhile, famed activist Arundhati Roy voiced scathing criticism against India’s biometric collection scheme, saying, “The UID is a corporate scam which funnels billions of dollars into the IT sector. To me, it is one of the most serious transgressions that is on the cards. It is nothing more than an administrative tool in the hands of a police state.”

It is irrationally excessive to collect this sensitive biometric data in a centralized nation-wide ID scheme. The massive collection of biometric information in a centralized ID scheme is not necessary nor proportionate in a democratic society.

EFF has documented (here, here, and here) the function creep risks that this data collection poses to privacy and security, including in those countries with data protection laws like the European Union. Informed analysis of the long-term consequences of the misused and secondary uses of this data collection and its impact in people’s lives should have been given to all citizens before the collection even started. There is still time to ask the Indian government to dismantle that colossal database, like the UK did.